UNIVERSITIES'
USE OF SOCIAL
SECURITY NUMBERS AS STUDENT
IDENTIFIERS IN REGION II

July 2005

A-02-05-25104

AUDIT
REPORT

Mission

We improve SSA programs and operations and protect them against fraud, waste,
and abuse by conducting independent and objective audits, evaluations, and investigations.
We provide timely, useful, and reliable information and advice to Administration
officials, the Congress, and the public.

Authority

The Inspector General Act created independent audit and investigative units,
called the Office of Inspector General (OIG). The mission of the OIG, as spelled
out in the Act, is to:

Conduct and supervise independent and objective audits and investigations
relating to agency programs and operations.
Promote economy, effectiveness, and efficiency within the agency.
Prevent and detect fraud, waste, and abuse in agency programs and operations.
Review and make recommendations regarding existing and proposed legislation
and regulations relating to agency programs and operations.
Keep the agency head and the Congress fully and currently informed of problems
in agency programs and operations.

To ensure objectivity, the IG Act empowers the IG with:

Independence to determine what reviews to perform.
Access to all information necessary for the reviews.
Authority to publish findings and recommendations based on the reviews.

Vision

By conducting independent and objective audits, investigations, and evaluations,
we are agents of positive change striving for continuous improvement in the
Social Security Administration's programs, operations, and management and in
our own office.

MEMORANDUM

Date: July 27, 2005

To: Beatrice M. Disman
Regional Commissioner New York

From: Inspector General

Subject: Universities' Use of Social Security Numbers as Student Identifiers
in Region II (A-02-05-25104)

OBJECTIVE

Our objective was to assess universities' use of Social Security numbers (SSN)
as student identifiers in Region II and the potential risks associated with
such use.

BACKGROUND

Millions of students enroll in educational institutions each year. To assist
in this process, many colleges and universities use students' SSNs as personal
identifiers. The American Association of Collegiate Registrars and Admissions
Officers found that almost half (1,036) of member institutions that responded
to a 2002 survey used SSNs as the primary student identifier.

The potential for identity theft increases each time an individual's SSN is
divulged. Recent incidents of identity theft at universities have led some schools
to reconsider the practice of using SSNs as the primary student identifier.
However, at many universities, students continue to be identified by their SSN.

The Privacy Act of 1974, Family Educational Rights and Privacy Act (FERPA),
Social Security Act, and New York State Educational Law contain provisions that
govern disclosure and use of SSNs. For example, FERPA requires that educational
institutions, which receive funds under an applicable program of the U.S. Department
of Education, have written permission from the parent or eligible student to
release or display any personally identifiable information from a student's
education record.
Similarly, the New York State Educational Law prohibits, in most cases, universities
in New York State from displaying SSNs on students' public listing of grades,
class rosters or other lists provided to teachers; student identification (ID)
cards; or in student directories or similar listings. See Appendix B for more
information on specific legal provisions.

We selected a sample of seven universities in Region II. For each selected
school, we interviewed university personnel and reviewed school policies and
practices for the use of SSNs. We also coordinated with the Social Security
Administration's Office of General Counsel and the Department of Education's
Office of the Inspector General for further clarification on laws related to
universities' use of SSNs. See Appendix C for a full description of our scope
and methodology.

RESULTS OF REVIEW

Our review showed that the SSN was the primary method of student ID for four
of the seven universities we selected. We also identified three universities
in the region that did not use the SSN as the primary student identifier. The
use of the SSN as the primary student identifier made the SSN vulnerable to
risk of identity theft.

FOUR UNIVERSITIES USED THE SSN AS PRIMARY STUDENT IDENTIFIER

Despite the increasing threat of identity theft, officials from four universities
stated that their schools used the SSN as the primary student identifier. Two
examples follow.

ID Cards: Officials from three of the four universities stated the SSN appeared
on student ID cards. One university official stated that students' SSNs were
displayed on the back of ID cards. In general, the student SSN was also printed
on receipts from the library and bookstore and on overdue book notices that
were mailed to students.

Postcards: Officials from three universities stated that SSNs were collected
on postcards. The postcards were sent to students from their respective schools
to obtain information.

In addition, we found that officials from each of the four universities stated
the SSN was used to access the Internet and/or other computer systems. Although
the Internet and most computer systems use an encryption to prevent identity
theft, it is still possible the system could be hacked into. Additionally, in
some cases, forms that were accessible to students in the universities' computer
systems clearly displayed students' SSNs when they were printed.

When asked why the SSN was used as a student identifier, some officials informed
us they were unaware of any legislation limiting the use of the SSN. Those who
were aware of legislation cited the cost of converting to a new identifier system
as a barrier. One official stated that plans to eliminate the use of SSNs as
the primary student identifier have been addressed but have not yet been formally
adopted. The clear display of students' SSNs on cards and documents that may
have been seen and accessed by other individuals made the number vulnerable
to identity theft.

THREE UNIVERSITIES DID NOT USE THE SSN AS PRIMARY STUDENT IDENTIFIER

Our review found that three universities did not use the SSN as the primary
student identifier. An official from one of the universities in New Jersey selected
for our review stated they no longer used the SSN as the primary student identifier.
New York has enacted a law that regulates universities' SSN use. The New York
State Education Law prohibits the display of a student's SSN on " public
listing[s] of grades, on class rosters or other lists provided to teachers,
student identification cards, [and] in student directories or similar listings unless
specifically authorized or required by law...." Accordingly, the two universities
in New York did not use the SSN as the primary student identifier.

In previous preliminary research conducted by the Office of the Inspector General,
which did not result in an audit report, one of the universities selected in
New York State for our review requested students' SSNs on postcards. The university
has changed this practice. A university official stated that the SSN was no
longer requested on postcards.

The same official informed us the university did not use the SSN as the primary
student ID. The university uses a computer-generated student ID number as a
primary student ID. When registering for classes, students use a logon ID and
password. The last six digits of the SSN is the initial password, but students
are prompted to change this at the first logon. The same course of action applies
when students initially access on-line services. However, the requirement to
enter the last six digits of the SSN will be eliminated when the university's
new Student Information System is implemented, tentatively scheduled for 2007.
Although, the school's undergraduate and graduate admission applications request
the SSN, we noted that providing an SSN was not mandatory for admission.

An official at the other New York State university stated that the school did
not use the SSN as the primary student identifier. Specifically, a new system
of ID was implemented in November 2002. This conversion was done to comply with
the New York State Education Law regarding the use and display of the SSN. The
system generates ID numbers for students. According to university personnel,
these ID numbers are called X-numbers (eight-digit ID numbers beginning with
the letter X).

All university employees and students have X-numbers for ID. On-line services
at the university do not require the student's SSN. The SSN appears as an asterisk
on the form for requesting transcripts.

CONCLUSION AND RECOMMENDATIONS

We found that SSNs were vulnerable to identity theft at four of the universities
we contacted since they used the SSN as a primary student ID. The schools used
the SSNs in ways that potentially exposed them to individuals other than the
numberholders. While we recognize the Social Security Administration cannot
directly prohibit universities from using SSNs, it can help reduce potential
threats by encouraging schools to limit SSN use. Additionally, the Department
of Education's Family Policy Compliance Office provides technical assistance
to universities covered by FERPA to ensure compliance with the Act. The Social
Security Administration could work with the Family Policy Compliance Office
to help better educate universities that appear to be in noncompliance with
FERPA.

Accordingly, we recommend that the Regional Commissioner:

1. Contact the universities that used the SSN as the primary student identifier,
and others in the region, to educate the community about the potential risks
associated with using SSNs as student identifiers.

2. Ask the Department of Education's Family Policy Compliance Office to assist
those universities in Region II that use the SSN as the primary student identifier
to ensure they are complying with FERPA.

AGENCY COMMENTS

The Agency agreed with our recommendations and has initiated corrective actions.
The Agency's comments are included in Appendix D.

C.F.R. Code of Federal Regulations
FERPA Family Educational Rights and Privacy Act
ID Identification
OIG Office of the Inspector General
Pub. L. No. Public Law Number
SSN Social Security Number
U.S.C. United States Code

Appendix B
Federal and State Laws that Govern Disclosure and Use of the Social Security
Number

The following laws establish a general framework for disclosing and using the
Social Security number (SSN).

The Privacy Act of 1974 provides that it is unlawful for a State government
agency to deny any person a right, benefit, or privilege provided by law based
on the individual's refusal to disclose their SSN, unless such disclosure was
required to verify the individual's identity under a statute or regulation in
effect before January 1, 1975. Further, under Section 7(b), a State agency requesting
that an individual disclose their SSN must inform the individual whether the
disclosure is voluntary or mandatory, by what statutory or other authority the
SSN is solicited, and what uses will be made of the SSN.

The Family Educational Rights and Privacy Act (FERPA) protects the privacy
of student education records. FERPA applies to those schools that receive funds
under an applicable program of the U.S. Department of Education. Under FERPA,
an educational institution must have written permission from the parent or eligible
student to release any personally identifiable information (which include SSNs)
from a student's education record. FERPA does, however, provide certain exceptions
in which a school is allowed to disclose records without consent. These exceptions
include disclosure without consent to university personnel internally who have
a legitimate educational interest in the information, to officials of institutions
where the student is seeking to enroll/transfer, to parties to whom the student
is applying for financial aid, to the parent of a dependent student, to appropriate
parties in compliance with a judicial order or lawfully issued subpoena, or
to health care providers in the event of a health or safety emergency.

The Social Security Act

The Social Security Act states, "[s]ocial security account numbers and
related records that are obtained or maintained by authorized persons pursuant
to any provision of law, enacted on or after October 1, 1990, shall be confidential,
and no authorized person shall disclose any such social security account number
or related record." (42 U.S.C. § 405(c)(2)(C)(viii)). The Social Security
Act also states, " [w]hoever discloses, uses, or compels the disclosure
of the social security number of any person in violation of the laws of the
United States; shall be guilty of a felony " (42 U.S.C. § 408(a)(8)).

New York Education Code (NY CLS Edu § 2-b.)

Use of student SSNs is restricted. "No public or private [university]
shall display any student's social security number to identify such student
for posting or public listing of grades, on class rosters or other lists provided
to teachers, on student identification cards, in student directories or similar
listings, or, unless specifically authorized or required by law, for any public
identification purpose."

New Jersey Annotated Statutes (N.J. Stat §18A:3-28)

Use of student SSNs is restricted. "No public or independent institution
of higher education in the State shall display any student's social security
number to identify that student for posting or public listing of grades, on
class rosters or other lists provided to teachers, on student identification
cards, in student directories or similar listings, unless otherwise required
in accordance with applicable State or federal law." This law becomes effective
January 26, 2006.

coordinated with the Social Security Administration's Office of General Counsel
in Region II and the Department of Education Office of the Inspector General
to further clarify use of SSNs as a primary student identifier as it relates
to universities.

We visited two universities and conducted telephone interviews with officials
at five other universities to assess their uses of the SSNs as student identifiers.
The scope of our audit was to select two universities in each area of Region
II. In each area, 1 university had an enrollment of 15,000 or more students,
and the other had an enrollment of 14,999 or less. Our review of internal controls
was limited to gaining an understanding of universities' policies over the collection,
protection, use and disclosure of SSNs. We conducted our field work from December
2004 through February 2005. Our audit was conducted in accordance with generally
accepted government auditing standards.

Appendix D
Agency Comments

SOCIAL SECURITY

MEMORANDUM

Date: July 14, 2005

To: Inspector General
From: Regional Commissioner New York
Subject: OIG Draft Report On Universities' Use Of Social Security Numbers As
Student Identifiers in Region II, Audit No. 22005016 - REPLY

We have reviewed the draft report and are in agreement with the recommendations
made by the OIG. Following are our actions to date:

Recommendation 1: Three of the universities that used the SSN as the primary
student identifier are located in Puerto Rico and the fourth is in New Jersey.
We have asked our Area Directors for those geographic areas to initiate our
efforts to meet with the universities.

Recommendation 2: We will ask, if necessary, the Department of Education's
Family Policy Compliance Office to assist those universities that use the SSN
as the primary student identifier to ensure they are complying with FERPA.

Should your staff have any questions, they may contact Dennis Mass, Director,
Center for Programs Support at 212 264-4004.

Acknowledgments
In addition to those named above:
Abraham Pierre, Auditor in Charge
Denise Molloy, Program Analyst

For additional copies of this report, please visit our web site at www.socialsecurity.gov/oig
or contact the Office of the Inspector General's Public Affairs Specialist at
(410) 965-3218. Refer to Common Identification Number A-02-05-25104.

Overview of the Office of the Inspector General

The Office of the Inspector General (OIG) is comprised of our Office of Investigations
(OI), Office of Audit (OA), Office of the Chief Counsel to the Inspector General
(OCCIG), and Office of Executive Operations (OEO). To ensure compliance with
policies and procedures, internal controls, and professional standards, we also
have a comprehensive Professional Responsibility and Quality Assurance program.

Office of Audit

OA conducts and/or supervises financial and performance audits of the Social
Security Administration's (SSA) programs and operations and makes recommendations
to ensure program objectives are achieved effectively and efficiently. Financial
audits assess whether SSA's financial statements fairly present SSA's financial
position, results of operations, and cash flow. Performance audits review the
economy, efficiency, and effectiveness of SSA's programs and operations. OA
also conducts short-term management and program evaluations and projects on
issues of concern to SSA, Congress, and the general public.

Office of Investigations

OI conducts and coordinates investigative activity related to fraud, waste,
abuse, and mismanagement in SSA programs and operations. This includes wrongdoing
by applicants, beneficiaries, contractors, third parties, or SSA employees performing
their official duties. This office serves as OIG liaison to the Department of
Justice on all matters relating to the investigations of SSA programs and personnel.
OI also conducts joint investigations with other Federal, State, and local law
enforcement agencies.

Office of the Chief Counsel to the Inspector General

OCCIG provides independent legal advice and counsel to the IG on various matters,
including statutes, regulations, legislation, and policy directives. OCCIG also
advises the IG on investigative procedures and techniques, as well as on legal
implications and conclusions to be drawn from audit and investigative material.
Finally, OCCIG administers the Civil Monetary Penalty program.

Office of Executive Operations

OEO supports OIG by providing information resource management and systems security.
OEO also coordinates OIG's budget, procurement, telecommunications, facilities,
and human resources. In addition, OEO is the focal point for OIG's strategic
planning function and the development and implementation of performance measures
required by the Government Performance and Results Act of 1993.